CD 





Language Specific Processor 






r 














IR 
f 














^Vulnerability Lattice for Variables 




















Vulnerability Lattice for each argument 
at selected call sites 

Vulnerability Analyzer 






r 










K ) 










1 


Vulnerabilities at each call site 

f 



FIGURE 1 



1 



2 3 



JL 

FIGURE 2 



22 



(Maximum Size, Minimum Size) 



FIGURE 3 



i 

(Maximum Size, Minimum Size) 

^ 26 
J. 

FIGURE 4 



Null Terminated 



Not Null Terminated 




FIGURE 5 



T 




Stack Memory Heap Memory Static Memory Constant Memory 




1 

30 

FIGURE 6 



I 

A Specific String Constant 

i 

_L 

FIGURE 7 



T 




FIGURE 8 



FIGURE 9 



Variable is 
Array or 
Structure 
36 



True 



Variable is 
Visible to other 

routines or 
passed in as an 
argument 
38 



k True 



Vulnerability Lattice: 
Memory Size <— Size of 
Variable 

All Other Values <- 



False 




Vulnerability Lattice: 

Memory Size <— Size of 

Variable 

All Other Values 



Variable is 
Pointer 
44 



True 



Variable is 
Visible to other 

routines or 
passed in as an 
argument 
46 



False 



Vulnerability Lattice: 
All Values <— 

High 48 




Vulnerability Lattice: 
All Values +— 

Low 49 



Variable is 
Visible to other 

routines or 
passed in as an 
argument 
52 



False 



Integral Lattice <— 
High 54 



True 




'- ► 


Integral Lattice <— 




Low 56 



FIGURE 10A 




Vulnerability Lattice: 

Memory Size Lattice <— size of variable 

Memory Location Lattice «— memory of variable 

all other lattice entries < — 
Vulnerability Lattice for Addressed Variable: 

Data Size Lattice < — L 

Null Terminated Lattice < — L 

Sfrwig Mz/we Lattice «— 62 

Data Origin Lattice < — L 



Vulnerability Lattice: 
Memory Size Lattice <— size of variable 
Memory Location Lattice <— memory of variable 
Data Size Lattice <— size of string 
Null Terminated Lattice <— True 
5/ri>ig Va/we Lattice <— value of string 64 
Data Origin Lattice <— Internal 



Vulnerability Lattice «— 68 



Vulnerability Lattice: 
Memory Size Lattice <— size of String 
Data S/ze Lattice *— size of String 
Afa// Terminated Lattice <— Null Terminated 
Memory Location Lattice <— Constant Memory 
&ri/tg Va/w<? Lam'ce <- String 72 
Data Origm Lattice <— Internal 



Integral Lattice <— value of integer constant 76 



Expression Lattice «— 
Merge( Expression Lattice for 2 nd expression. 

Expression Lattice for 3 rd expression ) 80 



The Expression Lattice for the Variable <— 
Merge(01d Expression Lattice for the Variable, 
Expression Lattice for the Expression) 84 



Figure 10B 




FIGURE 11A 




Vulnerability Lattice: 
Memory Size Lattice <— size of variable 
Memory Location Lattice «— memory of variable 
all other lattice entries <— 

-L 100 



Vulnerability Lattice: 
Memory Size Lattice <— size of variable 
Memory Location Lattice <— memory of variable 
Data Size Lattice <— size of string 
Null Terminated Lattice <— True 
String Lattice «— value of string 
Data Origin Lattice <— Internal 102 



Value of 
Variable 



True 



104 



False 



Constant 
String 

108 

False 



True 



Vulnerability Lattice <— <— Lattice Value 
associated with the Variable 106 



Vulnerability Lattice: 
Memory Size Lattice <— size of String 
Data Size Lattice <— size of String 
Null Terminated Lattice <— Null Terminated 
Memory Location Lattice <— Constant Memory 
String Lattice String 
Data Origin Lattice +- Internal 1 10 



Integer 
Constant 

112 



True 



Integral Lattice <— value of integer constant 1 14 



False 



? : 
116 



True 



False 



Expression Lattice <— 
Merge( Expression Lattice for 2 nd expression, 
Expression Lattice for 3 rd expression ) 118 



Variable <— 
Expression 
120 



True 



The Expression Lattice for the Variable <— 
(Old Expression Lattice for the Variable) 122 



Figure 11B 



Integral 
Operation 
124 



vTrue 



Integral Lattice <— result of integral computation 
on input Integral Lattices 1 26 



False 



Size of 
(Variable) 
128 



True 



Integral Lattice <— size of the variable in bytes 1 30 



No Expression 
Processing Done 



Expression Lattice « — L 132 



± 











c 


f 



FIGURE 12 



Language Specific Processor 



Vulnerability Analyzer 




FIGURE 13 



